Key-Recovery Fault Injection Attack on the Classic McEliece KEM

Sabine Pircher, Johannes Geier, Julian Danner, Daniel Mueller-Gritschneder, Antonia Wachter-Zeh

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

We present a key-recovery fault injection attack on the Classic McEliece Key Encapsulation Mechanism (KEM). The fault injections target the error-locator polynomial of the Goppa code and the validity checks in the decryption algorithm, making a chosen ciphertext attack possible. Faulty decryption outputs are used to generate a system of polynomial equations in the secret support elements of the Goppa code. After solving the equations, we can determine a suitable Goppa polynomial and form an alternative secret key. To demonstrate the feasibility of the attack on hardware, we simulate the fault injections on virtual prototypes of two RISC-V cores at register-transfer level.

Original languageEnglish
Title of host publicationCode-Based Cryptography - 10th International Workshop, CBCrypto 2022, Revised Selected Papers
EditorsJean-Christophe Deneuville
PublisherSpringer Science and Business Media Deutschland GmbH
Pages37-61
Number of pages25
ISBN (Print)9783031296888
DOIs
StatePublished - 2023
Event10th International Workshop on Code-Based Cryptography, CBCrypto 2022 - Trondheim, Norway
Duration: 29 May 202230 May 2022

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume13839 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference10th International Workshop on Code-Based Cryptography, CBCrypto 2022
Country/TerritoryNorway
CityTrondheim
Period29/05/2230/05/22

Keywords

  • Classic McEliece
  • Fault Attack
  • Key Encapsulation Mechanism
  • Key Recovery
  • Laser Fault Injections
  • Post-Quantum Cryptography

Fingerprint

Dive into the research topics of 'Key-Recovery Fault Injection Attack on the Classic McEliece KEM'. Together they form a unique fingerprint.

Cite this